ensure all fuzz targets are killed on exit

author: vanhauser-thc <vh@thc.org> 2022-01-25 14:51:02 +0100
committer: vanhauser-thc <vh@thc.org> 2022-01-25 14:51:02 +0100
commit: d9ed7842987f221eee068c0b61cf890d5ed6aff7 (patch)
tree: 80661f41a8a8f88acb36ee1f65aff331f87c601c
parent: 0fd6315dfb45dcc058dcf891efb8fb83eb1de225 (diff)
download: afl++-d9ed7842987f221eee068c0b61cf890d5ed6aff7.tar.gz
2 files changed, 47 insertions, 11 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md
index e25b43da..e89a0761 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -33,6 +33,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
       (it is better!)
     - fix a regression introduced in 3.10 that resulted in less
       coverage being detected. thanks to Collin May for reporting!
+    - ensure all spawned targets are killed on exit
     - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on
       incorrect LTO usage setups and enhanced the READMEs for better
       information on how to deal with instrumenting libraries
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 06bff2be..d34cc6b4 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -46,15 +46,31 @@ extern u64 time_spent_working;
 
 static void at_exit() {
 
-  s32   i, pid1 = 0, pid2 = 0;
+  s32   i, pid1 = 0, pid2 = 0, pgrp = -1;
   char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL};
   char *ptr;
 
   ptr = getenv("__AFL_TARGET_PID2");
-  if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) kill(pid2, SIGTERM);
+  if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) {
+
+#if defined(__linux__)
+    pgrp = getpgid(pid2);
+#endif
+    if (pgrp > 0) { killpg(pgrp, SIGTERM); }
+    kill(pid2, SIGTERM);
+
+  }
 
   ptr = getenv("__AFL_TARGET_PID1");
-  if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) kill(pid1, SIGTERM);
+  if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) {
+
+#if defined(__linux__)
+    pgrp = getpgid(pid1);
+#endif
+    if (pgrp > 0) { killpg(pgrp, SIGTERM); }
+    kill(pid1, SIGTERM);
+
+  }
 
   ptr = getenv(CPU_AFFINITY_ENV_VAR);
   if (ptr && *ptr) unlink(ptr);
@@ -85,8 +101,25 @@ static void at_exit() {
   /* AFL_KILL_SIGNAL should already be a valid int at this point */
   if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); }
 
-  if (pid1 > 0) { kill(pid1, kill_signal); }
-  if (pid2 > 0) { kill(pid2, kill_signal); }
+  if (pid1 > 0) {
+
+#if defined(__linux__)
+    pgrp = getpgid(pid1);
+#endif
+    if (pgrp > 0) { killpg(pgrp, kill_signal); }
+    kill(pid1, kill_signal);
+
+  }
+
+  if (pid2 > 0) {
+
+#if defined(__linux__)
+    pgrp = getpgid(pid1);
+#endif
+    if (pgrp > 0) { killpg(pgrp, kill_signal); }
+    kill(pid2, kill_signal);
+
+  }
 
 }
 
@@ -121,8 +154,7 @@ static void usage(u8 *argv0, int more_help) {
 #if defined(__linux__)
       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
       "  -U            - use unicorn-based instrumentation (Unicorn mode)\n"
-      "  -W            - use qemu-based instrumentation with Wine (Wine "
-      "mode)\n"
+      "  -W            - use qemu-based instrumentation with Wine (Wine mode)\n"
 #endif
 #if defined(__linux__)
       "  -X            - use VM fuzzing (NYX mode - standalone mode)\n"
@@ -173,8 +205,8 @@ static void usage(u8 *argv0, int more_help) {
       "  -T text       - text banner to show on the screen\n"
       "  -I command    - execute this command/script when a new crash is "
       "found\n"
-      //"  -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap
-      //" "file\n"
+      //"  -B bitmap.txt - mutate a specific test case, use the
+      //out/default/fuzz_bitmap file\n"
       "  -C            - crash exploration mode (the peruvian rabbit thing)\n"
       "  -b cpu_id     - bind the fuzzing process to the specified CPU core "
       "(0-...)\n"
@@ -744,6 +776,7 @@ int main(int argc, char **argv_orig, char **envp) {
       case 'f':                                              /* target file */
 
         if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); }
+
         afl->fsrv.out_file = ck_strdup(optarg);
         afl->fsrv.use_stdin = 0;
         break;
@@ -923,6 +956,7 @@ int main(int argc, char **argv_orig, char **envp) {
 
       case 'Y':                                     /* NYX distributed mode */
         if (afl->fsrv.nyx_mode) { FATAL("Multiple -Y options not supported"); }
+
         afl->fsrv.nyx_mode = 1;
 
         break;
@@ -966,6 +1000,7 @@ int main(int argc, char **argv_orig, char **envp) {
       case 'Q':                                                /* QEMU mode */
 
         if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); }
+
         afl->fsrv.qemu_mode = 1;
 
         if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; }
@@ -1076,6 +1111,7 @@ int main(int argc, char **argv_orig, char **envp) {
       case 'L': {                                              /* MOpt mode */
 
         if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); }
+
         afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT;
 
         if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) {
@@ -1276,8 +1312,7 @@ int main(int argc, char **argv_orig, char **envp) {
   if (afl->fsrv.nyx_mode) {
 
     OKF("afl++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)");
-    OKF("Nyx is open source, get it at "
-        "https://github.com/Nyx-Fuzz");
+    OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz");
 
   }
author	vanhauser-thc <vh@thc.org>	2022-01-25 14:51:02 +0100
committer	vanhauser-thc <vh@thc.org>	2022-01-25 14:51:02 +0100
commit	d9ed7842987f221eee068c0b61cf890d5ed6aff7 (patch)
tree	80661f41a8a8f88acb36ee1f65aff331f87c601c
parent	0fd6315dfb45dcc058dcf891efb8fb83eb1de225 (diff)
download	afl++-d9ed7842987f221eee068c0b61cf890d5ed6aff7.tar.gz